search

PaloAltoNetworks / ansible-pan

Ansible modules for Palo Alto Networks NGFWs
Other
229 stars 159 forks source link

timeout (xapi.keygen) with panos_import #87

Closed TinajaLabs closed 6 years ago

TinajaLabs commented 6 years ago

I'm getting a timeout on the panos_import command.

I see a reference to xapi.keygen() in the traceback... Showing my playbook and the traceback below.

Thanks for any tips, Chris.

---

- name: Initialize the Palo Alto Networks firewall
  hosts: localhost
  connection: local
  gather_facts: False

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  vars:
    config_file: "/opt/ansible/files/pan/PA-test-Preliminary.xml"
    ip_address: 10.255.5.45
    username: "admin"
    password: "wackydoo"

  tasks:

  - name: set admin password
    panos_admpwd:
      ip_address: "{{ ip_address }}"
      key_filename: "/home/me/.ssh/my.pem"
      username: "{{ username }}"
      newpassword: "{{ password }}"

  - name: import configuration xml file into PAN-OS
    panos_import:
      ip_address: "{{ ip_address }}"
      username: "{{ username }}"
      password: "{{ password }}"
      file: "{{ config_file }}"
      category: "configuration"
    register: result

  - name: load configuration
    panos_loadcfg:
      ip_address: "{{ ip_address }}"
      password: "{{ password }}"
      file: "{{result.filename}}"

The error with -vvv on the command line:

The full traceback is:
  File "/tmp/ansible_aAF16c/ansible_module_panos_import.py", line 179, in main
    changed, filename = import_file(xapi, module, ip_address, file_, category)
  File "/tmp/ansible_aAF16c/ansible_module_panos_import.py", line 98, in import_file
    xapi.keygen()
  File "/usr/lib/python2.7/site-packages/pan/xapi.py", line 637, in keygen
    raise PanXapiError(self.status_detail)

fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "category": "configuration",
            "file": "/opt/ansible/files/pan/PA-test-Preliminary.xml",
            "ip_address": "10.255.5.45",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "url": null,
            "username": "admin"
        }
    },
    "msg": "URLError: reason: [Errno 110] Connection timed out"
}
TinajaLabs commented 6 years ago

Ack. My bad... maybe this will help someone else who hits this one.

In my playbook I was setting the password with panos_admpwd using SSH and the pem file.

The next call used panos_import which uses HTTPS. I didn't put that together in my head so focused on the error it threw.

The AWS security group that I set up for the PAN management interface only had SSH available and not HTTPS. Once I realized that, I opened port 443 and we're off to the races.

Closing...

ivanbojer commented 6 years ago

Thank you for characterization and the clean up!